name: Coverity

# This GitHub workflow automates submitting builds to Coverity Scan. To enable it,
# set the repository variable `ENABLE_COVERITY_SCAN_FOR_BRANCHES` (for details, see
# https://docs.github.com/en/actions/learn-github-actions/variables) to a JSON
# string array containing the names of the branches for which the workflow should be
# run, e.g. `["main", "next"]`.
#
# In addition, two repository secrets must be set (for details how to add secrets, see
# https://docs.github.com/en/actions/security-guides/using-secrets-in-github-actions):
# `COVERITY_SCAN_EMAIL` and `COVERITY_SCAN_TOKEN`. The former specifies the
# email to which the Coverity reports should be sent and the latter can be
# obtained from the Project Settings tab of the Coverity project).
#
# The workflow runs on `ubuntu-latest` by default. This can be overridden by setting
# the repository variable `ENABLE_COVERITY_SCAN_ON_OS` to a JSON string array specifying
# the operating systems, e.g. `["ubuntu-latest", "windows-latest"]`.
#
# By default, the builds are submitted to the Coverity project `git`. To override this,
# set the repository variable `COVERITY_PROJECT`.

on:
  push:

defaults:
  run:
    shell: bash

jobs:
  coverity:
    if: contains(fromJSON(vars.ENABLE_COVERITY_SCAN_FOR_BRANCHES || '[""]'), github.ref_name)
    strategy:
      matrix:
        os: ${{ fromJSON(vars.ENABLE_COVERITY_SCAN_ON_OS || '["ubuntu-latest"]') }}
    runs-on: ${{ matrix.os }}
    env:
      COVERITY_PROJECT: ${{ vars.COVERITY_PROJECT || 'git' }}
      COVERITY_LANGUAGE: cxx
      COVERITY_PLATFORM: overridden-below
    steps:
      - uses: actions/checkout@v4
      - name: install minimal Git for Windows SDK
        if: contains(matrix.os, 'windows')
        uses: git-for-windows/setup-git-for-windows-sdk@v1
      - run: ci/install-dependencies.sh
        if: contains(matrix.os, 'ubuntu') || contains(matrix.os, 'macos')
        env:
          runs_on_pool: ${{ matrix.os }}

      # The Coverity site says the tool is usually updated twice yearly, so the
      # MD5 of download can be used to determine whether there's been an update.
      - name: get the Coverity Build Tool hash
        id: lookup
        run: |
          case "${{ matrix.os }}" in
          *windows*)
            COVERITY_PLATFORM=win64
            COVERITY_TOOL_FILENAME=cov-analysis.zip
            MAKEFLAGS=-j$(nproc)
            ;;
          *macos*)
            COVERITY_PLATFORM=macOSX
            COVERITY_TOOL_FILENAME=cov-analysis.dmg
            MAKEFLAGS=-j$(sysctl -n hw.physicalcpu)
            ;;
          *ubuntu*)
            COVERITY_PLATFORM=linux64
            COVERITY_TOOL_FILENAME=cov-analysis.tgz
            MAKEFLAGS=-j$(nproc)
            ;;
          *)
            echo '::error::unhandled OS ${{ matrix.os }}' >&2
            exit 1
            ;;
          esac
          echo "COVERITY_PLATFORM=$COVERITY_PLATFORM" >>$GITHUB_ENV
          echo "COVERITY_TOOL_FILENAME=$COVERITY_TOOL_FILENAME" >>$GITHUB_ENV
          echo "MAKEFLAGS=$MAKEFLAGS" >>$GITHUB_ENV
          MD5=$(curl https://scan.coverity.com/download/$COVERITY_LANGUAGE/$COVERITY_PLATFORM \
                   --fail \
                   --form token='${{ secrets.COVERITY_SCAN_TOKEN }}' \
                   --form project="$COVERITY_PROJECT" \
                   --form md5=1)
          case $? in
          0) ;; # okay
          22) # 40x, i.e. access denied
            echo "::error::incorrect token or project?" >&2
            exit 1
            ;;
          *) # other error
            echo "::error::Failed to retrieve MD5" >&2
            exit 1
            ;;
          esac
          echo "hash=$MD5" >>$GITHUB_OUTPUT

      # Try to cache the tool to avoid downloading 1GB+ on every run.
      # A cache miss will add ~30s to create, but a cache hit will save minutes.
      - name: restore the Coverity Build Tool
        id: cache
        uses: actions/cache/restore@v4
        with:
          path: ${{ runner.temp }}/cov-analysis
          key: cov-build-${{ env.COVERITY_LANGUAGE }}-${{ env.COVERITY_PLATFORM }}-${{ steps.lookup.outputs.hash }}
      - name: download the Coverity Build Tool (${{ env.COVERITY_LANGUAGE }} / ${{ env.COVERITY_PLATFORM}})
        if: steps.cache.outputs.cache-hit != 'true'
        run: |
          curl https://scan.coverity.com/download/$COVERITY_LANGUAGE/$COVERITY_PLATFORM \
            --fail --no-progress-meter \
            --output $RUNNER_TEMP/$COVERITY_TOOL_FILENAME \
            --form token='${{ secrets.COVERITY_SCAN_TOKEN }}' \
            --form project="$COVERITY_PROJECT"
      - name: extract the Coverity Build Tool
        if: steps.cache.outputs.cache-hit != 'true'
        run: |
          case "$COVERITY_TOOL_FILENAME" in
          *.tgz)
            mkdir $RUNNER_TEMP/cov-analysis &&
            tar -xzf $RUNNER_TEMP/$COVERITY_TOOL_FILENAME --strip 1 -C $RUNNER_TEMP/cov-analysis
            ;;
          *.dmg)
            cd $RUNNER_TEMP &&
            attach="$(hdiutil attach $COVERITY_TOOL_FILENAME)" &&
            volume="$(echo "$attach" | cut -f 3 | grep /Volumes/)" &&
            mkdir cov-analysis &&
            cd cov-analysis &&
            sh "$volume"/cov-analysis-macosx-*.sh &&
            ls -l &&
            hdiutil detach "$volume"
            ;;
          *.zip)
            cd $RUNNER_TEMP &&
            mkdir cov-analysis-tmp &&
            unzip -d cov-analysis-tmp $COVERITY_TOOL_FILENAME &&
            mv cov-analysis-tmp/* cov-analysis
            ;;
          *)
            echo "::error::unhandled archive type: $COVERITY_TOOL_FILENAME" >&2
            exit 1
            ;;
          esac
      - name: cache the Coverity Build Tool
        if: steps.cache.outputs.cache-hit != 'true'
        uses: actions/cache/save@v4
        with:
          path: ${{ runner.temp }}/cov-analysis
          key: cov-build-${{ env.COVERITY_LANGUAGE }}-${{ env.COVERITY_PLATFORM }}-${{ steps.lookup.outputs.hash }}
      - name: build with cov-build
        run: |
          export PATH="$RUNNER_TEMP/cov-analysis/bin:$PATH" &&
          cov-configure --gcc &&
          cov-build --dir cov-int make
      - name: package the build
        run: tar -czvf cov-int.tgz cov-int
      - name: submit the build to Coverity Scan
        run: |
          curl \
            --fail \
            --form token='${{ secrets.COVERITY_SCAN_TOKEN }}' \
            --form email='${{ secrets.COVERITY_SCAN_EMAIL }}' \
            --form file=@cov-int.tgz \
            --form version='${{ github.sha }}' \
            "https://scan.coverity.com/builds?project=$COVERITY_PROJECT"
